Scaling API-first – The story of a global engineering organization
Advanced Malware Detection
1. Malware Management
YOU CAN FIND THE MOST ADVANCED
MALWARE, EVEN THE SNEAKY NSA STUFF
WITH THIS METHOD
Michael Gough – Founder
Malware Archaeology.com
2. Who am I
• Blue Team Defender Ninja, Malware Archaeologist,
Logoholic
• @HackerHurricane
• Inventor of the Malware Management Framework
• I love malware and malware discovery – send me your good
stuff ;-)
• I love logs – they tell us Who, What, Where, When and
hopefully How
– Created the “Windows Logging Cheat Sheet”
3. • We discovered this May 2012
• Met with the Feds ;-)
We know a bit about this one
4. Why we are here
• To learn something you CAN take this back to
work and do it tomorrow!
• Learn actionable Malware Management
• Provide you resources
• Education - Security 101
• And to avoid….
5. You’re Next
97,000 76 Mil + 8 Mil
1000+ Businesses395 Stores
4.5 Million
25,000
4.9 Million
4.03 Million
105k trans
40 Million
40+70 Million
$148 Mil
33 locations
650k - 2010
??????
76,000
670,000
1900 locations
145 Million
20,000
3 Million
35,000
60,000 alerts
990,000
56 Mil
550,000
TBD
Citigroup, E*Trade Financial Corp.,
Regions Financial Crop, HSBC
Holdings and ADP
??????
6. Malware Management
• Anyone NOT practice Vulnerability
Management?
• Malware Management is basically the same
thing
• Review Malware Analysis, Reports,
Descriptions to tweak your tools and logs of
where to look/monitor first
9. CryptoLocker
• Ransomware
• Stupid malware
• Dropped executable in %AppData% root
– C:Users<username>AppDataRoaming
• There are NEVER any .EXE’s here
• User initiated by clicking on something or Email
– But drive by infection possible too
11. Log for CryptoLocker type event
Dropped in the root of
%AppData%
AppDataRoaming
Enable Auditing – EventID
4663
12. BlackPoS
• Target… YAY
• Many others
• After getting some stuff for the house (Target)
I went to get a Sub for lunch (Jimmy John’s)
and then shopping for a new suit (Neiman
Marcus) and then off to the craft store to get
kids stuff for school (Michael’s) and after all
that running around I needed a drink (Spec’s)
16. BackOff
• Home Depot – Got Toliet?
• Many others, possibly 1000+
• And then after dinner (P.F. Changs) I went to
the building supply (Home Depot) to pick up
some studs… and then did a night deposit at
the bank (Chase, Citi..)
20. Actionable PoS Detection
• %AppData% (RoamingNew Dir)
• Looks like Java, Adobe, but its not normally
installed to these locations
• Installs Service
• Updates the Run Key
21. Now ATM’s??? - Tyupkin
• More Stoopid
malware
• Dropped in
System32
• EventID 4663
• Run Key
22. Works for Linux too - Mayhem
• Jedi Tip
• Compare:
• proc to items
running with ps
• Things in proc not
in ps are suspicious
23. Windows is broken
• You don’t need an 0-Day
• Just a credential (Users click on stuff)
• Or just visit a website – drive-bys
• Targeted phish
• Etc, etc, etc.
• Drop a DLL next to any .EXE and BAM! Infected
(DLL injection)
• If you have the creds, just execute it and move on
24. What is your strategy?
• Do you believe you can prevent a breach?
• Do you believe you can detect a breach
– Within the average 210 days?
– Within 30 days?
– Within a week?
– Within a few days?
– Within a day?
– Within hours?
25. What is your strategy
• Or are you going to be told by a third party
(90%+)
• How do you address advanced attacks?
• Does your strategy include being proactive at
looking for attacks targeting your specific
industry?
26. The Malware Management Framework
• How do you validate your systems are clean of
something like BlackPos or BackOff?
• Stuxnet, Flame, Duqu, SkyWiper, etc.
• The next thing…
• Did you look for these?
27. You’re Next
97,000 76 Mil + 8 Mil
1000+ Businesses395 Stores
4.5 Million
25,000
4.9 Million
4.03 Million
105k trans
40 Million
40+70 Million
$148 Mil
33 locations
650k - 2010
??????
76,000
670,000
1900 locations
145 Million
20,000
3 Million
35,000
60,000 alerts
990,000
56 Mil
550,000
TBD
Citigroup, E*Trade Financial Corp.,
Regions Financial Crop, HSBC
Holdings and ADP
??????
28. Malware Management
• You will see patterns
• %AppData%
• %Temp%
• Windows, WindowsSystem32,
WindowsSystem32WBEM
• Reg Keys, Domains, IP’s, etc.
• Many other indicators
• Build a Malware Matrix
• Tweak your tools or scripts… or pick 1 or 10
systems and do it manually!
29. Malware Management
• Do you know what is Good vs. Bad on your
systems?
• Do you re-image suspect or confirmed systems
with malware?
30. In Summary
• Malware is noisy
• We can detect it
• Malware Management Framework WORKS
• Create a Malware Matrix
• Tweak your tools and logging
• It only takes an hour or two a week
• YOU CAN DO IT!
31. Resources
• Our Website
– www.MalwareArchaeology.com
• The Malware Management Framework
– MalwareManagementFramework.Org
• Malware Report Standard
– To consistently report on what you found to others
• MalwareArchaeology.com/resources
– Windows Logging Cheat Sheet
• HackerHurricane.com - BLOG
– List of most malware analysis I read – Send me more!
32. Questions?
You can find us at:
• Michael@MalwareArchaeology.com
• MalwareArchaeology.com
• @HackerHurricane
• HackerHurricane.com (Blog)
• Yes – We do consulting ;-)